HitmanPro.ALERT Support and Discussion Thread

You rebooted?

 

Just checked mine and Wordpad is protected by default (also Win 8.1 64-bit, HMP.A build 344) ...

 

Not on my system... which isn't anything unusual for HMP.A to misbehave or act quirky on different systems with identical OS and HMP.A version\build.

 

I guess the keystroke encryption does not work properly. It looks like it shows the encrpyted characters: 'd.nivr8et'.



Win10 1511 build 10586.36 x64/HmP.Alert build 344/IE11

 

Q: browser Status Bar three boxes.
Seems status of three modules Safe | Exploit | Risk stays same regardless of status displayed on control panel.
With Safe and Exploit Disabled after browser start. Status Bar border display three boxes.
Seems, browser border three boxes at browser session start is maintained regardless of module status e.g., Disabled ...on control panel.
Anyone else...? As per design...? Cosmetic glitch...? FF43.0.2x64 Thanks

 

Same thing with Gmail, W7x64, HmP.Alert 340 in Chrome.

 

iWin Games Downloader sandbox'd

Spoiler

Log Name: Application
Source: HitmanPro.Alert
Date: 12/29/2015 4:40:15 AM
Event ID: 911
Task Category: (9)
Level: Error
Keywords: Classic
User: N/A
Computer: BJM-PCW8
Description:
Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 24872
Application C:\Games\iWin.com\Jewel Quest III\JewelQuest3.ifn

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\JewelQuest3.ifn [24872]
"C:\Games\iWin.com\Jewel Quest III\JewelQuest3.ifn"
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-12-29T09:40:15.000000000Z" />
<EventRecordID>255527</EventRecordID>
<Channel>Application</Channel>
<Computer>BJM-PCW8</Computer>
<Security />
</System>
<EventData>
<Data>C:\Games\iWin.com\Jewel Quest III\JewelQuest3.ifn</Data>
<Data>Anti-VM</Data>
<Data>Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 24872
Application C:\Games\iWin.com\Jewel Quest III\JewelQuest3.ifn

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\JewelQuest3.ifn [24872]
"C:\Games\iWin.com\Jewel Quest III\JewelQuest3.ifn"
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]
</Data>
</EventData>
</Event>

Log Name: Application
Source: HitmanPro.Alert
Date: 12/29/2015 4:40:14 AM
Event ID: 911
Task Category: (9)
Level: Error
Keywords: Classic
User: N/A
Computer: BJM-PCW8
Description:
Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 28052
Application C:\Games\iWin.com\Jewel Quest III\GLWorker.exe

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\GLWorker.exe [28052]
"C:\Games\iWin.com\Jewel Quest III\GLWorker.exe" IsRegistered
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-12-29T09:40:14.000000000Z" />
<EventRecordID>255526</EventRecordID>
<Channel>Application</Channel>
<Computer>BJM-PCW8</Computer>
<Security />
</System>
<EventData>
<Data>C:\Games\iWin.com\Jewel Quest III\GLWorker.exe</Data>
<Data>Anti-VM</Data>
<Data>Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 28052
Application C:\Games\iWin.com\Jewel Quest III\GLWorker.exe

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\GLWorker.exe [28052]
"C:\Games\iWin.com\Jewel Quest III\GLWorker.exe" IsRegistered
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]
</Data>
</EventData>
</Event>

Log Name: Application
Source: HitmanPro.Alert
Date: 12/29/2015 4:40:13 AM
Event ID: 911
Task Category: (9)
Level: Error
Keywords: Classic
User: N/A
Computer: BJM-PCW8
Description:
Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 25884
Application C:\Games\iWin.com\Jewel Quest III\GLWorker.exe

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\GLWorker.exe [25884]
"C:\Games\iWin.com\Jewel Quest III\GLWorker.exe" GetDaysAccess
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-12-29T09:40:13.000000000Z" />
<EventRecordID>255525</EventRecordID>
<Channel>Application</Channel>
<Computer>BJM-PCW8</Computer>
<Security />
</System>
<EventData>
<Data>C:\Games\iWin.com\Jewel Quest III\GLWorker.exe</Data>
<Data>Anti-VM</Data>
<Data>Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 25884
Application C:\Games\iWin.com\Jewel Quest III\GLWorker.exe

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\GLWorker.exe [25884]
"C:\Games\iWin.com\Jewel Quest III\GLWorker.exe" GetDaysAccess
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]
</Data>
</EventData>
</Event>

Log Name: Application
Source: HitmanPro.Alert
Date: 12/29/2015 4:40:11 AM
Event ID: 911
Task Category: (9)
Level: Error
Keywords: Classic
User: N/A
Computer: BJM-PCW8
Description:
Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 26684
Application C:\Games\iWin.com\Jewel Quest III\GLWorker.exe

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\GLWorker.exe [26684]
"C:\Games\iWin.com\Jewel Quest III\GLWorker.exe" GetDaysAccess
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-12-29T09:40:11.000000000Z" />
<EventRecordID>255524</EventRecordID>
<Channel>Application</Channel>
<Computer>BJM-PCW8</Computer>
<Security />
</System>
<EventData>
<Data>C:\Games\iWin.com\Jewel Quest III\GLWorker.exe</Data>
<Data>Anti-VM</Data>
<Data>Mitigation Anti-VM

Platform 6.3.9600/x64 06_45
PID 26684
Application C:\Games\iWin.com\Jewel Quest III\GLWorker.exe

VMware
Code Injection
0000000000190000-0000000000196000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1280]
00000000001A0000-00000000001A1000 4KB
00007FFD3A658000-00007FFD3A659000 4KB

Process Trace
1 C:\Sandbox\bjms\Test\drive\C\Games\iWin.com\Jewel Quest III\GLWorker.exe [26684]
"C:\Games\iWin.com\Jewel Quest III\GLWorker.exe" GetDaysAccess
2 C:\Sandbox\bjms\Test\drive\C\Program Files (x86)\iWin Games\iWinGames.exe [28508]
"C:\Program Files (x86)\iWin Games\iWinGames.exe"
3 C:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe [23840]
C:\Users\bjms\AppData\Local\Temp\nsqEC59.tmp\iWinGames.exe
4 C:\Users\bjms\Desktop\jewel-quest-iii-setup.exe [27716]
5 C:\Program Files\Sandboxie\SbieSvc.exe [17256]
"C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
6 C:\Program Files\Sandboxie\Start.exe [26392]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00006EDC_00007FF6_EB9FA688_00000138_
7 C:\Program Files\Sandboxie\SbieSvc.exe [1280]
</Data>
</EventData>
</Event>

Q: so, did Alert mitigate an Anti-VM exploit because there's malicious code designed to prevent analysis in sandbox trying to run in my sandbox...or, is there simply generic malware trying to run in my sandbox...?
What's GLWorker...? @markloman @erikloman

 

Hi there,

I've started using HMP.A in addition to G Data Total Protection (Version 25.1.0.9). Sadly they interfere with each other in a very odd way. I'm using the G Data Firewall and with HMP.A activated, the firewall notifications display wrong programs which want to connect. Or display the wrong Started by programs. If I let display the details the correct program is shown in the program dependencies. I don't know if you feel responsible, so I just want to inform about this behavior as I've informed G Data.

 

As I'm not allowed to edit (yet) I want to add my OS: Win 10 Ver 1511.

 

You could try adding G Data Total Protection to the exclusion list in HMPA, and exclude HMPA in G Data if that is possible.

 

hi, Erik!

I've just updated AIMP 4 to build 1683 but now i always observe a ROP attack as soon as i try to run it
(AIMP 4 → protected app, template = Media)

Code:

Mitigation   ROP

Platform     10.0.10586/x64 06_3c
PID          2108
Application  C:\Program Files (x86)\AIMP3\AIMP.exe
Description  AIMP 4

Branch Trace                      Opcode  To                            
-------------------------------- -------- --------------------------------
GetDesktopWindow +0x43             ~ RET  BASS_Init +0x7b              
0x773734C3 user32.dll                     0x71BB3AB0 bass.dll          

GetDesktopWindow +0x92               RET  GetDesktopWindow +0xa        
0x77373512 user32.dll                     0x7737348A user32.dll        

0x71BDF11C bass.dll                ~ RET* GetDesktopWindow()            
                                          0x77373480 user32.dll        
            8bff                     MOV          EDI, EDI
            53                       PUSH         EBX
            56                       PUSH         ESI
            57                       PUSH         EDI
            e83f000000               CALL         0x773734c9
            8bf0                     MOV          ESI, EAX
            8bda                     MOV          EBX, EDX
            64a118000000             MOV          EAX, [FS:0x18]
            8b88dc0f0000             MOV          ECX, [EAX+0xfdc]
            85c9                     TEST         ECX, ECX
            7902                     JNS          0x773734a0
            03c1                     ADD          EAX, ECX
            33ff                     XOR          EDI, EDI
            0500080000               ADD          EAX, 0x800
            740d                     JZ           0x773734b6
            f7401c00000020           TEST         DWORD [EAX+0x1c], 0x20000000
                                 (862A2D92A4F4EC2B)


0x71B9455D bass.dll                ~ RET  BASS_Init +0x6e              
                                          0x71BB3AA3 bass.dll          

RtlLeaveCriticalSection +0x34      ~ RET  0x71B9455D bass.dll          
0x77C2EEF4 ntdll.dll                                                    

0x71BDF0F0 bass.dll                ~ RET* RtlLeaveCriticalSection()    
                                          0x77C2EEC0 ntdll.dll          
            8bff                     MOV          EDI, EDI
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            53                       PUSH         EBX
            56                       PUSH         ESI
            8b7508                   MOV          ESI, [EBP+0x8]
            57                       PUSH         EDI
            834608ff                 ADD          DWORD [ESI+0x8], -0x1
            751d                     JNZ          0x77c2eeee
            c7460c00000000           MOV          DWORD [ESI+0xc], 0x0
            8d7e04                   LEA          EDI, [ESI+0x4]
            83c9ff                   OR           ECX, -0x1
            b8feffffff               MOV          EAX, 0xfffffffe
            f00fb10f                 LOCK CMPXCHG [EDI], ECX
            8bd8                     MOV          EBX, EAX
            83fbfe                   CMP          EBX, -0x2
                                 (FC8DA113A614DD49)


0x71B94551 bass.dll                  RET  BASS_Init +0x57              
                                          0x71BB3A8C bass.dll          

RtlEnterCriticalSection +0x2b        RET  0x71B94551 bass.dll          
0x77C2EF6B ntdll.dll                                                    

0x71B94481 bass.dll                  RET  BASS_Init +0x15              
                                          0x71BB3A4A bass.dll          

@Acl@Threading@TACLCriticalSection@Enter$qqrv +0x3c     RET  @Bassapi@BASS_CheckInitialize$qqrv +0xd
0x01BDF3CC AIMP.Runtime.dll               0x71D2AF65 AIMP.Shared.dll    

@Acl@Threading@LockCompareExchange$qqrxucxucpxuc +0x4     RET  @Acl@Threading@TACLCriticalSection@Enter$qqrv +0x30
0x01BDF1E4 AIMP.Runtime.dll               0x01BDF3C0 AIMP.Runtime.dll  

GetCurrentThreadId +0x9              RET  @Acl@Threading@TACLCriticalSection@Enter$qqrv +0x9
0x74C11B99 kernel32.dll                   0x01BDF399 AIMP.Runtime.dll  

@System@@IntfAddRef$qqrx44System@%DelphiInterface$17System@IInterface% +0xa     RET  @Aso@Decoders@Bass@TASOBASSDecoderExtension@CreateDecoder$qqs49System@%DelphiInterface$22Apiobjects@IAIMPStream%ui52System@%DelphiInterface$25Apiobjects@IAIMPErrorInfo%r56System@%DelphiInterface$29Apidecoders@IAIMPAudioDecoder% +0x1b
0x018A6B0A AIMP.Runtime.dll               0x71D41F8B AIMP.Shared.dll    

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  71B91952 bass.dll              
            8bf0                     MOV          ESI, EAX
            85f6                     TEST         ESI, ESI
            7440                     JZ           0x71b91998
            68d49dbb71               PUSH         DWORD 0x71bb9dd4
            56                       PUSH         ESI
            ff15b870bb71             CALL         DWORD [0x71bb70b8]
            85c0                     TEST         EAX, EAX
            7430                     JZ           0x71b91998
            8a4809                   MOV          CL, [EAX+0x9]
            80f9e8                   CMP          CL, 0xe8
            7508                     JNZ          0x71b91978
            8b869f660000             MOV          EAX, [ESI+0x669f]
            eb0d                     JMP          0x71b91985

2  00000004 (unknown)            

Process Trace
1  C:\Program Files (x86)\AIMP3\AIMP.exe [2108]
2  C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [3136]
"C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /restart:752649BB123FCAB9
3  C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1160]
"C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /service

AIMP v4.00 build 1683

Code:

  bass.dll
  MD5: BEAB4868A86733CAC83FB815B43E215F
  SHA-1: CEEE3F3399E8775359B2B1B02090978F32AFCDAB
  SHA-256: 0BFE6950FF05DFB408820B735DA7F044D83F49F26E4DE39267F1F69E11392F19 

~ Removed VirusTotal Results as per Policy - PM Developer ~


Alert 3.1.343

 

Might be worth trying it with Alert 3.1.344 since it's the latest.

 

i think this 'FP' must be 'whitelisted' by SurfRight since it is likely a 'legitimate ROP' (so, even if i switch to the latest build, if bass.dll performs a ROP,...)


Anyway, thank you again for the tip

 

Have you shielded SBxie, right? Why?

 

Forgive my ignorance, but I just started reading about HMPA and I really don't have the time to go back and read 328 pages of posts. I'm hoping someone can answer a couple of questions.

Is HMPA compatible with Sandboxie and WSA? What does HMPA offer, or what does it add, if I'm already using Sandboxie and WSA?

Thank you. My apologies as these questions have probably already been answered in this thread.

 

At the heart of HMPA is exploit protection. To my knowledge exploit protection is not offered to the same extent in current antivirus and so I see HMPA as an essential part of a layered security. It also offers browser protection, protection against crypto-ransomware, such as CryptoWall, and more

HMPA gets along well with Webroot SecureAnywhere. The only issue is a conflict between WSA's Identity Shield and HMPA's Live Keystroke Encryption Indicator. When the Identity Shield is enabled the live keystroke encryption doesn't display (and when the Identity Shield is turned off it does). It is unclear if this is just a display problem or if in fact the keystroke encryption is disabled. Attempts have been made to get Webroot support to troubleshoot this, but so far there has been no resolution. WSA has its own keylogger protection so I believe this "attack vector" is still blocked.

I don't use SandboxIE, but a number of people here do. Some folks having it working well with HMPA and others not so much. There's help if you run into problems with it.

If you decide to try HMPA just make sure to go into the sections of WSA and mark HMPA as "allowed" (don't leave it "blocked" or "protected"). Hope this helps

 

HMP.A is compatible with WSA, except that you won't see the keystroke encryption indicator with the WSA Identity Shield on, though the keystroke encryption is unaffected, according to Surfright.
HMP.A is also compatible with Sandboxie; there is a compatibility template for HMP.A in Sandboxie, which Sandboxie should automatically detect.
Over and above WSA's anti-malware capabilities, HMP.A primarily adds exploit mitigation, but also safe browsing for banking, etc. and includes a number of other risk reduction techniques against some ransomware, etc. HMP.A is a valuable extra layer of security.
If I have understood correctly, If you buy HMP.A before the end of 2015, your license will include the HitmanPro second opinion scanner as a standalone product also. From 2016, these will be two separate licenses.
Edit: Victek beat me to it, and more eloquently!
Add hmpalert.exe as 'Allow' under Application Protection in WSA Identity Protection, also under Block/Allow Files, and under Control Active Processes (right-click WSA taskbar icon).

 

Thanks to both of you! That was quite helpful!

 

is anyone using hmp.a and cylance or sentinelone. Looking for your perspectives on whether you view them as competitive or complementary/layered.

 

Sort of discussed here: https://www.wilderssecurity.com/threads/next-generation-anti-malware-exploit-products.380572/
Edit: Surfright has recently been acquired by Sophos so their technology will also find its way into Enterprise solutions.

 

Neither one of these appears to be generally available yet...?

 

nope and you can't even get a demo of Cylance if you are outside USA

 

C:\Sandbox as per BRN = Exception R/W and User Space Yes.
The sandbox container folder is by default located in System-Space. For Sandboxie to work, guarded applications running sandboxed must be able to write to it. For optimum security, all executables launched from the sandbox container folder should also be guarded. To achieve both goals, the folder has to be moved from System-Space to User-Space.